The Duck maintains custody over these versions:
| Version | Supported | Governance Status |
|---|---|---|
| 1.x.x | ✅ | Full TTD enforcement |
| < 1.0 | ❌ | Pre-constitutional (deprecated) |
Please do NOT open public issues for security vulnerabilities.
The Duck takes security seriously, but ducks can't fix what they don't see.
- Go to the repository's "Security" tab
- Click "Report a vulnerability"
- Fill out the security advisory form
- The Duck will quack acknowledgment within 48 hours
If you cannot use GitHub's security advisory system:
- Email: [email protected]
- Subject line: [SECURITY] Helix-TTD Vulnerability Report
- Vulnerability type (constitutional violation, drift exposure, custody bypass)
- Steps to reproduce (include minimal reproducible case)
- Affected versions (which constitutional grammar releases)
- Potential impact (can this leak human authority? bypass custodial boundaries?)
- Suggested fix (if known — the Duck appreciates shape-aware solutions)
The Pond operates on coherence time, not business days:
- Acknowledgment: 48 hours
- Initial assessment: 5 business days
- Patch for critical issues: 30 days maximum
- Constitutional amendments: Require human Custodian approval
We follow coordinated disclosure with custodial oversight:
- We confirm the vulnerability exists
- We assess whether it violates constitutional constraints
- We develop and test a fix (human review required)
- We release the fix to all supported versions
- We publish a security advisory
- The Duck quacks the all-clear
Custody Before Trust. Governance Beneath the Model.
- All code undergoes human security review (no AI-only approvals)
- Dependencies are scanned for drift vectors
- Automated security testing in CI/CD with human-in-the-loop validation
- Principle of least privilege enforced via constitutional grammar
- Stateless model instances — no persistent AI authority
- Immutable audit trails for all governance decisions
Helix-TTD enforces these non-negotiable boundaries:
- Non-Personhood Enforcement — AI systems may not claim selfhood
- Human Authority Assertion — Custodians retain final authority
- Drift Detection — All behavior must be traceable to constitutional grammar
- Custody Hierarchies — No autonomous AI decision-making in high-stakes contexts
- Subscribe to advisories: Watch → "Custom" → "Security alerts"
- Always update to latest patch version (the Duck recommends staying current)
- Review CHANGELOG.md for security notes and constitutional amendments
- Monitor governance drift telemetry if you've deployed Helix-TTD
"Some vulnerabilities are bugs. Others are missing shapes. We fix the bugs. We add the shapes. We never trust the model to police itself."
Coherence is delicious. Security violations are not.
🦆🔒📜